[ISN] Tightening the Net on Cybercrime

From: InfoSec News (alerts@private)
Date: Thu Feb 01 2007 - 03:36:47 PST


By Kim Zetter
Jan, 31, 2007

David Thomas' entree to online crime came through the conventional world 
of offline crime. He was born to a Texas oil family, but this 
circumstance did little to grease his way through life. His parents 
divorced when he was four, and his father, a geologist and oil 
prospector, walked out of his life and died destitute in 1987, leaving 
Thomas with nothing more than a small oil royalty on a barren tract of 
Texas land.

Left to his own devices, Thomas gravitated to trouble. At 14, he stole a 
car -- his first felony; by 30 he'd been arrested several times for 
check fraud, forgery and burglary.

In the 1980s, it looked like things were turning around for him after he 
married, had kids and caught the computing wave, launching a business 
building PCs. But his climb up from crime didn't last long.

In 1993 he was working for a Texas company contracted to install 
electronic key-card systems in Doubletree hotels when Thomas thought his 
employer was mistreating Doubletree and convinced the hotel to give him 
the $250,000-a-year contract instead. He was sure it would lead to other 
contracts. But he'd also just bought a new home in a gated community and 
needed money for the mortgage. So he bought cheap parts and overcharged 
Doubletree to get quick cash -- a bad choice made worse by the fact that 
the components were faulty.

He worked overtime to install the first system in Doubletree's Kansas 
City hotel then turned his phone off to rest. As luck had it, those were 
the days President Clinton's advance team were in town and staying at 
the hotel. When the key system failed, they were locked out of their 
rooms. Thomas turned his phone on a few days later to a series of shrill 
messages from the hotel manager. "Where are you? The computers are 
crashed, what are we going to do?!" Then: "You bastard! You son of a 
bitch! You'll never work in this town again!"

Thomas lost his house and marriage, and over the next decade alternated 
between legitimate and criminal work, none of it very successful. He got 
a job installing databases, then got fired when the company discovered 
he was on probation for check fraud. Then he smuggled marijuana across 
the Mexican border. After that more check fraud followed.

In 1998, at 40, he met Bridget Trevino on an IRC channel -- she was 25 
and living with her mother. They crisscrossed the country for a year, 
living on money from relatives and forged checks. It was the perfect 
match. "We never argued. We both liked the same exact kind of life -- 
you know, quiet, sedate, white-picket fence," he says with no hint of 

Their vehicle broke down in the Midwest in November 1999, and two weeks 
later Thomas got a phone call, and a rare lucky break. The Texas land 
his father left him turned out to have oil and gas reserves beneath it. 
Big royalty checks started rolling in -- first $2,000 a month, then 
$6,000 and $8,000. Thomas vowed never to return to crime, and for a year 
and a half the vow stuck. Then the oil flow slowed, and the checks 
dropped back to $2,000 then $1,500.

Fearing the well was about to run dry, he sold his royalties on 
Energynet.com, an auction site where the wealthy traded oil and gas 
royalties, and got $70,000 -- enough for a down payment on a ranch 
house. But after six months the money and house were gone. "I never 
thought things would go south on me like they did. At that point I was 
bitter," he says.

He turned to his old standby, check fraud; but with outstanding 
warrants, he needed a new identity. That's how he found Counterfeit 
Library, a British website where vendors sold "novelty" IDs -- fake IDs 
that were the stock-in-trade of identity thieves. The site was "total 
nirvana for a criminal," Thomas says, and a revelation.

Thomas had used fake IDs before, but they wouldn't stand up to scrutiny 
in bright light. Counterfeit Library IDs, by contrast, were genius, with 
holograms and magnetic stripes. For $150 you could buy any ID you wanted 
-- military, federal employee, even the FBI or Secret Service. A little 
more would get you the whole "rebirth package": birth certificate, 
driver's license, passport, Social Security card, employee badge (name 
your dream job), even utility bills to establish proof of residency.

There was also a service called PhantomInfo, which consisted of a script 
that tapped into the computers of the ChoicePoint data broker. For $29 a 
month you could send unlimited e-mails to phantominfo@private 
containing the names of victims whose identity you wanted to steal; the 
program would search ChoicePoint's database and reply with the victim's 
Social Security number and current address.

"Today, it's just normal, everyday stuff," Thomas says. "But back then 
it was the first that we had seen of that kind."

This was the start of something big. A small number of carders had long 
exchanged stolen identity information and credit card numbers on 
electronic bulletin boards and IRC channels. But websites like 
Counterfeit Library launched a whole new era of white-collar crime, 
lowering the entrance barrier for those who never would have found such 
information otherwise, and creating a global market for trading in large 
amounts of hacked data. For the first time, crooks could specialize in 
criminal niches, and market that expertise to thousands of collaborators 
across borders.

In addition to fake IDs, Counterfeit Library had forums where members 
traded in special deals. But to participate in the best deals you had to 
be a senior member, and to be a senior member you had to have 1,000 
posts to your name. So, adopting the online nickname "El Mariachi," 
Thomas set out to make 30 posts a day, aiming for senior status in five 

Thomas wrote quality content that got him noticed. He wrote tutorials on 
bank fraud -- "$30,000 on a $3,000 Investment" and "Payroll Checks for 
Fun and Profit" -- as well as long, introspective pieces about a hard 
life lived and lessons learned. The piece that got him the most 
attention was a solemn meditation on karmic retribution, which he wrote 
after he and Trevino found the windows of their Cadillac vandalized 
while they were out passing bad checks. "We were out doing wrong 
things," he says, "and it was our time to pay the price."

He developed a following on the boards among older members who 
considered him a fellow traveler on the hard-luck path, and younger ones 
who were glad to get a fatherly ear in the quiet hours after midnight. 
The positive feedback was a drug to Thomas. He loved leaving the weak 
David behind and taking on a new persona. Where David Thomas was 
insecure, El Mariachi was confident and worldly. Where David was 
unsuccessful at crime, El was a master con man. On the boards, all his 
neuroses seemed to disappear.

"El is the key to the strength that I have," Thomas says. "I know it 
sounds psychotic . . . but that is the boards. The characters are built 
around people who have low self-esteem, and they're looking on the 
boards for whatever they're missing in life."

But Counterfeit Library was soon supplanted by a new and vigorous type 
of online criminal marketplace, led by the arrival of the Eastern 
European fraud merchants.

Eastern Europe, particularly Russia, Ukraine and Romania, has become a 
wellspring of internet crime in recent years -- a result of rampant 
corruption, economic decline and too many young hackers with 
sophisticated skills and a dearth of legitimate opportunity. (See 
sidebar, "Tracking the Russians" [1]). Organized crime mobs from these 
countries have joined forces with hackers and become adept at crafting 
and carrying out online attacks of varying sophistication: from simple 
phishing ruses to active database intrusions. "Because organized crime 
is so well-entrenched there, and tolerated by authorities to some 
extent, they're the one who are moving into it most aggressively," says 
James Lewis, a senior fellow at the Center for Strategic and 
International Studies.

It's only natural that the bank-card system would draw their attention.

"It was the Russians who ... brought plastic online," Thomas says. "They 
had manufacturing facilities to manufacture credit card plastic and put 
data on it, and guys on the English side were like, 'Whoa!'"

The "Russians" included two twenty-something Ukrainians named Dmitry 
Golubov and Pavel Chistov who, according to law enforcement officials, 
joined with 150 other Eastern European criminals in convening a summit 
at an Odessa restaurant in the spring of 2001. The result was 
CarderPlanet, a highly organized online carding and money-laundering 
emporium that set the standard for all carding sites that followed.

According to Thomas, Golubov, aka "Script," [2] was a spammer who 
realized the potential for carding when he saw how easily people sent 
their credit card numbers through e-mail to purchase the products he 
hawked. His group of cohorts paid hackers $1,000 a day and more to crack 
bank and card-processing databases to steal credit card numbers, which 
they sold in "dumps" of hundreds of numbers online. They set up botnets 
to spam out phishing lures, and even created a makeshift factory for 
manufacturing blank plastic cards with magnetic stripes and holograms. 
When Russian authorities eventually raided their workshop [3] in June 
2003, they found 8,000 counterfeit credit cards, according to an article 
in Pravda.

CarderPlanet's how-to tutorials and message boards became a daily 
must-read for criminals looking to make their mark in the burgeoning 
field of cybercrime. As one Russian carder noted in a message on the 
site: "Some people read 'Kommersant', others 'Pravda,' but we -- 

"They were advancing crime by leaps and bounds," Thomas says. "It was a 
24/7 operation that never slept."

Where the Russians went, everyone else followed. Although CarderPlanet 
was initially exclusive to Eastern Europeans, the site later added an 
English-speaking forum to attract partners in the United States and 
Britain who could cash out ATM cards and run drop addresses for stolen 

The site eventually amassed 7,000 members, according to authorities, 
about 450 of whom overlapped with an increasingly popular U.S. site 
called Shadowcrew.

"When Shadowcrew first came up and people made a $5,000 score, people 
were like 'Wow, you're big time,'" Thomas says. "But later on ... guys 
were making $100,000 a day."

A former Irish carder who used the nick "ITR" told Wired News in an 
e-mail that the amount of cash he pulled in from his carding days was, 
at times, hard to keep up with. When asked how much he stole, he 
replied, "Above the national average, and with some decent investment 
life is good."

Thomas, of course, wanted in on the action. It wasn't long before he 
hooked up with a Ukrainian man named "Big Buyer," one of the top Eastern 
European carders, whose nick derived from his penchant for maxing out 
stolen credit card numbers with big-ticket items, such as $30,000 
watches. "If he had $50 left on the card, he'd go find another item to 
max out the card," Thomas says. [4]

Thomas went to Seattle where he began laundering money and receiving and 
selling merchandise for Big Buyer.

But carding wasn't his ultimate goal. Thomas had bigger plans in mind. 
He was devising a scheme to defraud traders at Energynet.com, the 
auction site where he'd sold his father's oil rights. He needed money 
from the Big Buyer operations to establish himself as a player at 
Energynet, where he planned to sell $5 million in oil and gas royalties 
that didn't exist.

The "Rockford op," as he dubbed it in honor of James Garner's character 
in The Rockford Files, would be his final scam, the swan song every 
grifter dreams of that would allow him to retire from a 30-year mediocre 
career in crime that he no longer had the stomach to pursue.

But it was not to happen. Thomas was on the carding sites only five 
months before he and Taylor were arrested in Issaquah, Washington, and 
he began his new role for the FBI.

"I'd like to screw this guy, but it's not my field," a carder using the 
name "BoBaBc" wrote on CarderPlanet a few months after Thomas started 
work for the FBI. "If you can help me set it up we'll split it."

Some aspects of online fraud are seasonal -- in December, consumers are 
likely to receive malicious software crafted as electronic Christmas 
cards, for example. In 2004, the upcoming national election was looming 
large in America's consciousness, and cybercrooks like BoBaBc were 
looking for ways to cash in.

BoBaBc told Thomas he'd planted Trojan horses on the home computer of 
Darryl Tattrie, then a comptroller for the Kentucky Democratic Party. 
The hacker found numerous financial files on the computer, among them a 
spreadsheet listing donations to the party coffers, a list of bank 
account numbers with the names of people authorized to use them, and 
even a digital copy of Tattrie's signature for printing checks.

The fraudster had a plan to funnel $250,000 from the party's campaign 
fund to an offshore bank account, and frame Tattrie for embezzlement. 
But he was a newbie to wire transfers and needed Thomas' help. Thomas 
tutored him for several days, and helped him compose a fax to the 
party's bank. But, of course, he was working both sides. When BoBaBc's 
anonymous cell phone broke, Thomas sent him a new one -- courtesy of the 
FBI. Thomas assumes the phone was under surveillance.

It's unclear how BoBaBc's scheme played out in the end. Around the time 
that BoBaBc intended to send the fax, he disappeared from the boards, 
and Thomas never heard from him again.

Tattrie, who now works for the Arizona Democratic Party, said that 
authorities spoke with him about the hack, but wouldn't elaborate on 
what agency was involved or what was said. It appears, though, that 
BoBaBc never made good on his embezzlement threat. Officials at the 
Kentucky Democratic Party and the party's bank say they never received 
the wire transfer request. [5]

BoBaBc wasn't completely idle, though. Around the time that he was 
purportedly planning his attack on the party's coffers, Tattrie returned 
from a trip to find that someone had transferred $6,000 from his 
personal bank account. His ISP had also canceled his internet service on 
grounds that someone had been using his account to distribute spam while 
he was away.

The Kentucky Democratic Party wasn't the only political group targeted 
by carders that year. As the presidential campaign heated up, there were 
other schemes surfacing.

One carder using the nicks "Mesh" and "Nasa" decided to phish the Ralph 
Nader campaign site [6]. According to chat logs of his discussions with 
Thomas, he paid a coder to create a phony Nader campaign page that 
charged the donor's credit card and, cleverly, delivered the funds to 
the campaign, while simultaneously sending the card info to him.

When the scammer told Thomas what he was doing, Thomas joked that he 
should phish the Bush campaign site, too. So the scammer complied.

These were heady times for Thomas. He applied himself more diligently to 
his new job for the FBI than he ever had to other jobs, or even to his 
life of crime. In some ways it was the best of both worlds for him. He 
could spend his days immersed in the activities of the community he 
loved, scheming to commit crimes, without having to worry about being 
arrested. Of course, he didn't make money from his capers, but the 
thrill of being back in the game as El Mariachi and being in the know 
about what was happening on the boards made up for that.

Then in December 2003, Thomas' online war with other carders crossed a 
line and he found himself banned from some of the sites. That's when he 
decided to launch TheGrifters.net and become his own site administrator. 
The ban turned out to be a blessing: As the owner of his site, he now 
had unfettered access to all communication on the board.

On the surface, it seems remarkable that the FBI would finance and run 
an operation like TheGrifters, which facilitated crimes that inflicted 
very real financial losses against innocent consumers, merchants and 
banks. But Department of Justice guidelines (.pdf) [8] allow the bureau 
to run long-term "criminal intelligence" investigations like the one 
Thomas describes, with no specific arrests or prosecutions anticipated, 
provided the target is a terrorist group or a "racketeering enterprise." 
The latter could clearly describe the community that immediately began 
gathering at TheGrifters.

Thomas had barely launched the site when he made his biggest catch, a 
Russian spammer who used the nick "King Arthur" and was one of the 
pioneers of phishing attacks. King kept a fairly low profile on the 
boards and avoided much of the drama and fighting that American carders 
were becoming known for. He had a much-coveted program for generating 
bank algorithms that would authenticate debit and credit cards to an ATM 

What he didn't have was language skills. He wanted to steal money from 
customers of Minneapolis-based U.S. Bank, which boasts nearly 2,500 
branches and 5,000 ATMs in 24 states. But he needed a native English 
speaker to author a phishing e-mail that could fool Americans into 
relinquishing their account and PIN numbers. That's where Thomas came 

U.S. Bank was targeted because some of its accounts allowed $2,000 or 
more in daily ATM withdrawals. A thief could withdraw two grand from an 
account at 5:59 p.m. one day and get another two grand at 6:01 p.m. -- 
the time when U.S. Bank ATMs reset themselves for the next business day.

Butler approved the operation, Thomas says, because phishing attacks 
were just coming onto the scene and he wanted to see how they operated. 
Thomas also thinks Butler was hungry for a big scam.

"(Butler) never wanted to work small cases," Thomas says. "He said, 
'Look, if I get involved in an investigation or doing an intelligence 
deal and it's all simple time, I'd be working small time for the rest of 
my life.... I'm only doing the big stuff.'"

Today, according to some published reports, phishing attacks average 
17,000 a month, with no sign of abating. But in early 2004, most people 
hadn't heard of phishing yet and were easily fooled by the scams. So 
when King sent out his phishing attack, it wasn't long before account 
and PIN numbers were rolling in, some with balances exceeding $100,000.

Thomas was in charge of finding cashers for those accounts who wouldn't 
"rip." It was a common problem with ATM cashers. "You send a guy out to 
an ATM, he's going to be honest the first time or two out, and then he's 
going to start dipping in," Thomas says.

It was easy to claim that a card number hadn't worked, then pocket the 
cash. That is, unless you worked with Russian carders, who often claimed 
to have online access to the compromised bank accounts and knew exactly 
how much money a casher withdrew.

Thomas sent the numbers to a guy who used the nick "Myth," who coded 
them to blank cards and doled them out to 25 cashers across the country. 
Their job was to move from city to city hitting ATMs. Among the cashers 
were "Decep" and "John Dillinger," a carder who described his cashing 
activities [10] to Wired News earlier this year before he was arrested 
[11]. Decep claimed to pull $11,600 from nine cards one night. Myth got 
$90,000 in a few days, according to Thomas [12].

The cashers wired 80 percent of their take to King in Russia through 
Western Union, while Thomas tracked card numbers and amounts on a 
spreadsheet and kept copies of ATM receipts, which the cashers were 
required to scan [13]. As far as Thomas was concerned, it was all about 
keeping King happy. If Thomas got labeled a ripper, King and others 
wouldn't do business with him, and then he'd lose his value to the FBI. 
Every six months Thomas says the FBI rebudgeted for his surveillance 
work, and he was always worried that Butler would pull the plug if he 
didn't prove his worth.

"The thing you have to fight, that you're always fighting, is the 
diminishing value curve," Thomas says. "If you did really good last 
month and this month you're shit, you're already a diminishing value."

Throughout all of this, Thomas actively participated in King Arthur's 
schemes without FBI interference, despite the impact on banks and 
consumers. Although federal law requires that banks absorb such fraud 
losses, consumers are still left with the burden of reporting missing 
funds in a timely manner and with proving that the transactions are 
fraudulent -- which can be a time-consuming process.

While the cashers were draining bank accounts, U.S. Bank, one of the 
financial institutions hit by King, was telling reporters that no 
customers lost money [14].

Thomas doesn't know how much the King operation brought in altogether 
because King had other cashers working other banks for him in the United 
States and Europe, such as a 24-year-old Texan named Douglas Cade 
Havard, who authorities said absconded with millions before being 
arrested with a partner in the United Kingdom in 2004. British officials 
said that Havard and a 25-year-old Scot named Lee Elwood stole about 
$11.4 million over 18 months. They were caught only after an accomplice 
was arrested in Austin, Texas, trying to board a plane carrying $30,000 
in $20 bills [15].

As for King's operation with Thomas, the Russian was so happy with the 
success of the U.S. Bank phish that Thomas authored for him, that he 
decided to phish the Federal Trade Commission as well. He said he hated 
President Bush and wanted to attack a government financial institution. 
Thomas explained that it wasn't the FTC he wanted, but the Federal 
Deposit Insurance Corporation. The phish, which Thomas helped write, 
went to 40 million addresses in 24 hours, according to Thomas.

The mail told recipients that the FDIC had suspended federal deposit 
insurance on their bank account due to suspicious activity that violated 
the Patriot Act. The consumer could lift the ban at the FDIC's IDVerify 
page (a bogus site hosted on a server in Pakistan) by providing their 
debit card and PIN number for verification. Failure to comply could 
result in a visit from the Department of Homeland Security.

But, tipped off to the phishing attack, the FDIC issued a special public 
alert [16] about the scam, and few people fell for it. The agency also 
phoned the Pakistani hosting company and persuaded it to take down the 
fake site [17].

Things grew more harried with the King Arthur schemes, when money that 
the U.S. Bank cashers wired to Russia suddenly stopped going through. 
Thomas says the FBI allowed about $17,000 to find its way to Eastern 
Europe before blocking the rest [18].

King wasn't pleased. He'd left Shadowcrew after proceeds from cashing 
operations based there stopped flowing to him. Now the same thing was 
happening at TheGrifters. He wanted the cashers to return to Western 
Union and recover the blocked funds, which in some cases meant sending 
cashers back to cities they'd left. "It was a ... nightmare," says 
Thomas. "You knew there (wasn't) going to be any recovery ... because 
the feds had locked that money up."

Then Myth started ripping. In Oregon, he had 100 bank accounts to cash 
out one day, but claimed most of them didn't work [19]. Things were 
getting out of hand. As King pressed Thomas to come through with the 
missing Western Union cash, one of Thomas' enemies at Shadowcrew 
discovered that King was doing business with Thomas and sent a copy of 
his old Issaquah police report to the Russian.

Butler had had enough.

"(Butler) calls me up and says, 'Shut it down, we're not doing it 
anymore,'" Thomas says. And that was the end of the King operation. It 
wouldn't be long before it was the end of TheGrifters, CarderPlanet and 
Shadowcrew, too.


[1]  http://www.wired.com/news/technology/0,72605-0.html
[2]  http://mosnews.com/news/2005/07/21/ukronlinefraud.shtml
[3]  http://english.pravda.ru/accidents/21/96/383/14751_cards.html
[4]  http://www.wired.com/news/technology/0,72581-2.html?tw=wn_story_page_next2#fdesc1
[5]  http://www.wired.com/news/technology/0,72581-2.html?tw=wn_story_page_next2#fdesc2
[6]  http://www.wired.com/news/technology/0,72581-2.html?tw=wn_story_page_next2#fdesc3
[7]  http://www.wired.com/news/technology/0,72581-2.html?tw=wn_story_page_next2#
[8]  http://www.usdoj.gov/olp/generalcrimes2.pdf
[9]  http://www.wired.com/news/technology/0,72581-3.html?tw=wn_story_page_next3#fdesc4
[10] http://www.wired.com/news/culture/0,71479-0.html 
[11] http://www.wired.com/news/technology/0,72581-3.html?tw=wn_story_page_next3#fdesc5
[12] http://www.wired.com/news/technology/0,72581-3.html?tw=wn_story_page_next3#fdesc6
[13] http://www.wired.com/news/technology/0,72581-3.html?tw=wn_story_page_next3#fdesc7
[14] http://www.wired.com/news/technology/0,72581-3.html?tw=wn_story_page_next3#fdesc8
[15] http://www.wired.com/news/technology/0,72581-3.html?tw=wn_story_page_next3#fdesc9
[16] http://www.fdic.gov/news/news/SpecialAlert/2004/sa0504.html
[17] http://www.wired.com/news/technology/0,72581-4.html?tw=wn_story_page_next4#fdesc10
[18] http://www.wired.com/news/technology/0,72581-4.html?tw=wn_story_page_next4#fdesc11
[19] http://www.wired.com/news/technology/0,72581-4.html?tw=wn_story_page_next4#fdesc12

Subscribe to InfoSec News

This archive was generated by hypermail 2.1.3 : Thu Feb 01 2007 - 03:53:14 PST